Vulnerability Disclosure Policy

Last updated: 12/9/2024

Due the continued inability for the moderators of the WordPress Support Forum to operate in an appropriate manner we suspended our reasonable disclosure policy (described below) for plugins in the WordPress Plugin Directory, and replaced it with full disclosure until such time as the moderators can handle things in professional adult manner. For each vulnerability we will full disclose and then attempt to notify the developer only through the WordPress Support Forum. We hope this will be resolved soon (though we don’t think it is likely), as their current inappropriate behavior has been so awful for the rest of the community for far too long.

For plugins in the WordPress Plugin Directory and in the ClassicPress Plugin Directory, we will handle them through reasonable disclosure, discussed below. The same holds true for plugins where the developer is listing a method to contact them directly through a security.txt file (or equivalent file). We also will do this for any vulnerabilities in plugins from WP Engine, as long as they are being held hostage.

We also engage in reasonable disclosure with the results of security reviews we perform as part of our service and as a separate service.

Reasonable Disclosure Policy

We believe in reasonable disclosure, which involves providing developers notification of vulnerabilities we will disclose, ahead of the disclosure, but doesn’t involve waiting potentially forever for a developer to fix the vulnerability.

Many of the vulnerabilities we disclose are likely already being exploited, so not disclosing them means that people using the plugin are left completely vulnerable, whereas with disclosure they have a chance to do something. Therefore, we will quickly disclose those. Other providers also have the ability to include the vulnerabilities in their data, since we disclose them publicly at the same time.

For some other vulnerabilities we disclose, the vulnerabilities are rather obvious when looking at a report of another vulnerability in a plugin. If we have spotted those you can be sure that others could as well, so keeping quiet about them doesn’t do much to limit the possible of their exploitation and we will usually quickly disclose those.

As the funding for our discovering all of these vulnerabilities comes from our customers paying to be notified of vulnerabilities in the plugin they use, keeping quiet about them for a significant amount of time is also shortchanging our customers.

For vulnerabilities that are not being exploited or are not obvious because of a previous vulnerability, we will disclose them 30 days after notifying the developer if the developer responds to our notification or 7 days if they don’t respond, or after they have been fixed, whichever comes first. For vulnerabilities where the developer is no longer around (which is fairly often with WordPress plugins), we will disclose them immediately.